| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aS2X7cIiRnR26hyg@willie-the-truck> Date: Mon, 1 Dec 2025 13:28:13 +0000 From: Will Deacon <will@...nel.org> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: "Russell King (Oracle)" <linux@...linux.org.uk>, Zizhi Wo <wozizhi@...weicloud.com>, Catalin Marinas <catalin.marinas@....com>, jack@...e.com, brauner@...nel.org, hch@....de, akpm@...ux-foundation.org, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, linux-mm@...ck.org, linux-arm-kernel@...ts.infradead.org, yangerkun@...wei.com, wangkefeng.wang@...wei.com, pangliyuan1@...wei.com, xieyuanbin1@...wei.com Subject: Re: [Bug report] hash_name() may cross page boundary and trigger sleep in RCU context On Fri, Nov 28, 2025 at 09:06:50AM -0800, Linus Torvalds wrote: > On Thu, 27 Nov 2025 at 02:58, Russell King (Oracle) > <linux@...linux.org.uk> wrote: > > > > Ha! > > > > As said elsewhere, it looks like 32-bit ARM has been missing updates to > > the fault handler since pre-git history - this was modelled in the dim > > and distant i386 handling, and it just hasn't kept up. > > I actually have this dim memory of having seen something along these > lines before, and I just had never realized how it could happen, > because that call to do_page_fault() in do_translation_fault() > visually *looks* like the only call-site, and so that > > if (addr < TASK_SIZE) > return do_page_fault(addr, fsr, regs); > > looks like it does everything correctly. That "do_page_fault()" > function is static to the arch/arm/mm/fault.c file, and that's the > only place that appears to call it. > > The operative word being "appears". > > Becuse I had never before realized that that fault.c then also does that > > #include "fsr-2level.c" > > and then that do_page_fault() function is exposed through those > fsr_info[] operation arrays. > > Anyway, I don't think that the ARM fault handling is all *that* bad. > Sure, it might be worth double-checking, but it *has* been converted > to the generic accounting helpers a few years ago and to the stack > growing fixes. > > I think the fix here may be as simple as this trivial patch: > > diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c > index 2bc828a1940c..27024ec2d46d 100644 > --- a/arch/arm/mm/fault.c > +++ b/arch/arm/mm/fault.c > @@ -277,6 +277,10 @@ do_page_fault(unsigned long addr, ... > if (interrupts_enabled(regs)) > local_irq_enable(); > > + /* non-user address faults never have context */ > + if (addr >= TASK_SIZE) > + goto no_context; > + > /* > * If we're in an interrupt or have no user > * context, we must not take the fault.. > > but I really haven't thought much about it. In the hack I posted [1], I deliberately avoided modifying do_page_fault() as it's used on the permission fault path. With your change above, I'm worried that userspace could simply try to access a kernel address and that would lead to a panic. Will [1] https://lore.kernel.org/all/aShLKpTBr9akSuUG@willie-the-truck/
Powered by blists - more mailing lists